Five Eyes threatens to force encryption backdoors, says 'privacy is not absolute'

The Five Eyes government intelligence alliance issued an encryption ultimatum to tech companies and device makers.

Thinkstock

“Privacy is not absolute,” said Five Eyes, and tech companies will either have to give the Five Eyes government alliance access to encrypted data, communications, and devices or else.

Or else what? According to the recently issued Statement of Principles on Access to Evidence and Encryption, it seems the government intelligence alliance (representing the U.S., the U.K., Canada, Australia and New Zealand) is ready to bring the pain by pursing “technological, enforcement, legislative or other measures to achieve lawful access solutions.”

That is but one statement that came after government representatives of the five countries met in Australia at the end of August. None of the statements issued specifically mention “backdoors.” In fact, Five Eyes calls encryption “vital to the digital economy, a secure cyberspace and the protection of personal, commercial and government information. The five countries have no interest or intention to weaken encryption mechanisms.”

But from there, it’s the same old song and dance. Baddies – such as criminals and terrorists – use encryption and end-to-end encryption, and keeping intelligence and law enforcement from accessing their encrypted data and communications makes it difficult “to protect” communities. Five Eyes says tech companies, device manufacturers, and carriers have a “mutual responsibility” to “assist authorities to lawfully access data, including the "content of communications.”

“Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute,” Five Eyes said. “The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake.”

Five Eyes was disappointed that digital industry CEOs were not interested in attending the meetings and put emphasis on “freedom of choice for lawful access solutions,” but not freedom of choice to prevent access to encrypted communications.

The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries. Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements. Such solutions can be a constructive approach to current challenges.

Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

Each Five Eyes jurisdiction “will consider how best to implement the principles of this statement, including with the voluntary cooperation of industry partners. Any response, be it legislative or otherwise, will adhere to requirements for proper authorization and oversight, and to the traditional requirements that access to information is underpinned by warrant or other legal process.”

Five Eyes' online safety requests

On top of all that, Five Eyes called upon the tech industry “to meet public expectations regarding online safety” by doing the following:

Developing and implementing capabilities to prevent illegal and illicit content from ever being uploaded, and to execute urgent and immediate takedown where there is a failure to prevent upload.

Deploying human and automated capabilities to seek out and remove legacy content.

Acting on previous commitments to invest in automated capabilities and techniques (including photo DNA tools) to detect, remove and prevent re‑upload of illegal and illicit content, as well as content that violates a company's terms of service.

Prioritizing the protection of the user by building user safety into the design of all online platforms and services, including new technologies before they are deployed.

Building upon successful hash sharing efforts to further assist in proactive removal of illicit content.